← Back to Home
01 · Expose · 02 · Eliminate · 03 · Enforce

Secure Remote Access.
Zero Trust enforced.
For
Critical Infrastructure.

Every privileged session is a risk — vendors, contractors, and your own staff all need access to critical assets. ConsoleWorks enforces Zero Trust on every connection: verified identity, scoped access, zero standing privileges, complete session record. No direct paths. No trusted networks. No exceptions.

Request a DemoSee How It Works
0
Agents installed on any managed endpoint — agentless by design
100%
Of sessions recorded — CLI keystroke-by-keystroke, GUI full screen capture
Zero
Firewall rule changes required — no inbound ports opened to your network
1
Connection for the user — ConsoleWorks manages every zone transition, every protocol, every hop
Common question — At a glance

How do you give vendors and contractors remote access to OT and SCADA systems — without VPNs, shared credentials, or standing network access — while meeting NERC CIP-005, IEC 62443, and TSA Security Directive remote-access requirements?

ConsoleWorks Secure Remote Access brokers vendor, contractor, and employee access to OT assets at the protocol layer — operators never receive a network address inside the OT zone, never hold device credentials, and every keystroke is recorded. Access is to a session, not a network.

The Problem

Vendors, contractors, employees —
every privileged session is a risk.

Most organizations know a vendor was on the device. Few know what they did while they were there.

Vendors are the highest-risk users in your environment — but they're not the only ones. Contractors work across sites and systems with credentials that outlast their engagement. Internal operators and administrators access the same critical assets daily, with the same absence of session-level visibility. Traditional tools give all of them more access than they need, with less visibility than you require, and no forensic record of what they actually did.

Traditional tools break every Zero Trust principle:

VPNs grant broad network access — Zero Trust requires least-privilege, asset-level access only
Jump servers don't record what the vendor did — no auditability means no Zero Trust
Shared credentials can't be traced to an individual — Zero Trust requires verified identity on every session
No MFA enforcement — a stolen password grants full access, the opposite of never-trust-always-verify
No way to scope access to a specific asset, task, or time window — standing access is a Zero Trust failure
After an incident, you can't tell exactly what the vendor changed — or when
Internal operators have standing access to critical assets — Zero Trust applies to insiders too
The ConsoleWorks Answer
Zero Trust enforced architecturally — not as a policy setting.
Every user verified before they touch anything
ConsoleWorks enforces MFA at login — OIDC, LDAP/AD, or local authentication. Every session is tied to a verified identity from the moment of login. No shared accounts. No anonymous access. The audit trail starts at authentication, not at the device.
One connection — ConsoleWorks handles the rest
The path from user to Level 0 device crosses multiple security zones. The vendor doesn't need to know that. They connect once to ConsoleWorks — the platform manages every hop, every zone transition, every credential along the path.
Scoped to the specific asset
Vendor access granted to exactly the device they need — and nothing else. ConsoleWorks traverses all network zones to reach the target device, including those behind front-end processors and concentrators.
Time-bound and just-in-time
Access granted for the duration of the task. When the session ends, access ends. No standing access, no lingering credentials.
Clear record of what the vendor changed
Every CLI session logged keystroke-by-keystroke. Every GUI session (RDP, VNC) recorded as a full screen capture. After any incident or audit, you know exactly what was changed, by whom, and when — tied to a verified identity.
Users never see the password
Credentials vaulted and injected automatically. Users work within ConsoleWorks — ConsoleWorks makes the connection to the device. No user has a direct path to the endpoint, and no one handles the credential. Rotation managed by ConsoleWorks.
Zero Trust · Privileged Access Management

Identity first.
Every session.

Zero Trust means no connection is trusted by default — every access must be verified, authorized, and scoped before it opens. ConsoleWorks enforces this architecturally: before a single connection is made to any device, identity is verified; before any credential is injected, access is authorized; before any command is evaluated, the session is scoped. This isn't a policy checkbox. It's how the platform works.

01 · Authenticate
Verify Identity
MFA enforced on every login. Integrates with OIDC, LDAP, and Active Directory. No session opens without a verified identity.
02 · Authorize
Enforce RBAC
Role-based access controls determine exactly which devices the user can reach — and for what purpose. No standing privileges. Access scoped to the task.
03 · Connect
ConsoleWorks Connects
ConsoleWorks establishes the connection to the device. The user works within ConsoleWorks — never connecting directly to the endpoint or the managed network.
04 · Control
Enforce Commands
Every command evaluated against the user's permitted profile in real time. Prohibited commands blocked before they reach the device. Least privilege at the command level.
05 · Record
Complete Audit Trail
Every session recorded end-to-end — CLI keystroke-by-keystroke, GUI as full screen capture — tied to the verified identity from step one. Protected. Audit-ready on demand.
No Standing Privileges
Just-in-time access. Nothing more.

Access is granted per session, per device, for the duration of the task — and revoked the moment it ends. Vendors and contractors have no persistent access to anything. A compromised credential from a previous session is worthless.

No Shared Accounts
Every session tied to one identity.

Every user — internal staff, vendor, or contractor — authenticates individually into ConsoleWorks. No shared credentials. No group accounts. When something changes on a device, the audit trail identifies exactly who was in the session.

No Direct Device Access
ConsoleWorks connects. Not the user.

Users work within ConsoleWorks — they never have a direct network path to any managed device. Credentials are injected automatically and remain within the platform. The attack surface of every device is limited to what ConsoleWorks explicitly permits.

Zero Trust Architecture · The Protocol Break

A hard security boundary between
every user and every asset.

Zero Trust requires that no user ever has a direct path to a protected asset — trust must be established at every hop, not assumed from the network. The ConsoleWorks protocol break enforces this architecturally: two independent sessions for every access event — one between the user and ConsoleWorks, one between ConsoleWorks and the asset. The user session terminates at the platform. No direct path exists between user and endpoint by design. Malware on a user's workstation cannot traverse the break. The asset has no exposure to the user session — only to ConsoleWorks.

The User Side
Privileged Users, Vendors & Contractors

Engineers, technicians, third-party vendors, and contractors connect to ConsoleWorks — not directly to your assets. Their session terminates at the platform. They never touch the endpoint directly.

Internal Users Third-Party Vendors Contractors Remote Workers
Zero Trust Boundary
Protocol Break
Session-Based · Just-in-Time · On-Demand
The Asset Side
OT/IT Assets

ConsoleWorks connects to managed assets at every level of the network hierarchy — including Level 0 field devices and IT infrastructure that sit behind front-end processors and data concentrators. Sessions are established on-demand or just-in-time — scoped to the specific device, for the duration of the task. The asset never sees a direct user session.

PLCs RTUs HMIs Protective Relays Historians SCADA Servers SSH Telnet Serial RDP

Zero Trust by Architecture

Every connection is authenticated, authorized, and encrypted before it opens. No session is trusted by default — access is granted per task, per device, for the duration required.

Every Session Recorded

CLI sessions are logged keystroke-by-keystroke. GUI sessions (RDP, VNC) are recorded in full. Every session — regardless of protocol — is tied to a user identity, timestamped, and stored as a protected forensic record.

Multi-Zone Traversal — Simplified

IT and OT environments span multiple security zones. ConsoleWorks manages secure transitions across every zone boundary internally — the user connects once, ConsoleWorks handles the path. No knowledge of network topology required.
IEC 62443 · Zero Trust · Zone & Conduit Architecture

ConsoleWorks
is the conduit.

IEC 62443 mandates governed conduits between every zone. Zero Trust requires that every crossing be verified, scoped, and auditable. These aren't two different requirements — they're the same requirement. ConsoleWorks is built to satisfy both simultaneously: every zone crossing is authenticated, access-controlled, monitored, and recorded. That's not a feature ConsoleWorks adds. That's what ConsoleWorks is.

Every zone crossing is authenticated and scoped — no standing access across conduit boundaries
Every session through the conduit is recorded — CLI keystroke-by-keystroke, GUI full screen capture
Evidence generated automatically — mapped to IEC 62443 SR controls for audit and compliance
Cited in NIS2, NERC CIP, and TSA pipeline directives — regulatory requirements with real teeth

Using Purdue Model language? Zones 0–4 map directly to Levels 0–5. Same ConsoleWorks capability — toggle to see it in your framework.

IEC 62443 Zone & Conduit Model
Zones define trust levels · Conduits govern communication between zones
ISA/IEC 62443
Zone
Level
Zone 4
Enterprise
Zone 3
Operations
Zone 2
Supervisory
Zone 1
Control
Zone 0
Field
Vendor / User
Connects once to ConsoleWorks
ConsoleWorks
Acts as the Conduit
Enterprise Zone (Z4) · ERP · Business Systems
Conduit · Governed
Operations Zone (Z3) · Historian · Engineering WS
Conduit · Governed
Supervisory Zone (Z2) · DCS · SCADA · HMI
Conduit · Governed
Control Zone (Z1) · PLCs · RTUs · Controllers
Conduit · Governed
Field Zone (Z0)
PLC
RTU
Sensor
Operations View
1
User connects to ConsoleWorks
2
Selects the target zone & asset
3
ConsoleWorks traverses conduits to the device
ConsoleWorks acts as the conduit — governed, authenticated, and auditable at every zone crossing.
Role-Based Requirements

SRA across Security,
Operations, and Compliance.

The same capability addresses different requirements for each team. Select your role.

Operations Team

Every asset. Any location. No truck roll.

Operations teams work across distributed environments — data centers, substations, control rooms, and remote field sites. Getting a vendor or technician to the right device quickly is the difference between a one-hour repair and a two-day outage. ConsoleWorks provides session-based access to any managed device in your environment — servers, network devices, PLCs, RTUs, protective relays — traversing every network zone to reach the endpoint, behind front-end processors and concentrators. The right person gets on the right asset faster. Mean Time to Repair goes down. Truck rolls go down.

Multi-Zone Traversal to Any Device
ConsoleWorks manages the full path across network zone boundaries to reach any device in your environment — IT servers and network infrastructure, OT field devices — including those behind front-end processors and concentrators that other tools can't reach.
Protocol-Native — No Translation Layer
ConsoleWorks communicates with each device in its native protocol — SSH, Telnet, Serial, DNP3, Modbus, RDP, VNC. Every device — IT or OT — is accessed in the protocol it was built for, with no compatibility gaps or vendor-specific clients required.
One Connection — ConsoleWorks Handles the Rest
The path to any managed device — a Level 0 field device, a production server, a network switch — crosses multiple security zones. Vendors and technicians connect once to ConsoleWorks — the platform manages every zone transition internally. No knowledge of network topology required.
Operations Capabilities

What SRA delivers for your operational team

Every capability below is designed to reduce Mean Time to Repair — get on the asset faster, fix it faster, verify it faster.

Multi-zone traversal — secure path managed across all network boundaries to any IT or OT device
Protocol-native access — SSH, Telnet, Serial, RDP, VNC, DNP3, Modbus
Web-based console — no specialized software or VPN required
Multiple simultaneous users on the same asset for collaborative troubleshooting
No console servers or jump servers to maintain, patch, or monitor — ConsoleWorks is the single access point
Access request management for vendor and contractor sessions
Security Team

Zero Trust enforced on every connection. Not just claimed.

The protocol break architecture enforces Zero Trust at the connection level — not as a policy setting. Every session is authenticated against RBAC rules before it opens, encrypted end-to-end via SSL/SSH, and logged to a protected forensic record. Internal users, vendors, and contractors are subject to identical controls. Real-time session monitoring allows administrators to observe, join, or terminate any active session immediately.

Vendor & Contractor Risk Contained
Third-party users are subject to identical controls as internal staff — RBAC, MFA, session recording, time-bound access. A compromised vendor credential cannot move laterally or access anything beyond its explicitly granted scope.
Granular RBAC — Command Level
Access controlled by user, asset, task, and command. Least-privilege enforced at every layer — not just at login.
Strong Authentication Before Any Session Opens
MFA enforced at the platform level. Integrates with Active Directory, LDAP, and external identity providers. No session opens without verified identity — regardless of connection type.
Zone Segmentation Preserved
The protocol break architecture maintains IEC 62443 zone segmentation. No firewall holes opened. No direct paths between network zones — IT or OT. Established segmentation boundaries are respected and reinforced.
Security Capabilities

What SRA delivers for your security posture

Every feature below is a direct security control — not a compliance checkbox.

Vendor and contractor access controlled identically to internal users — no exceptions
No direct user-to-asset connections — protocol break enforced on every session
Role-based access control with command-level granularity
Multi-factor authentication enforcement — integrated with AD, LDAP, and external providers
End-to-end encryption — SSL/SSH on every session
Real-time session monitoring — observe, join, or terminate any active session immediately
Multi-zone traversal enforces segmentation — no cross-zone direct connections created
Time-bound and just-in-time access — standing privileges eliminated
Compliance Team

Every access event. Automatically documented. Audit-ready on demand.

Every privileged access session is recorded — CLI sessions at the keystroke level, GUI sessions (RDP, VNC) as full screen recordings. When an incident occurs or an auditor asks what a vendor changed, ConsoleWorks gives you a detailed, verified answer. Session recordings, access logs, role assignments, and permission changes are generated automatically and stored as a forensic record. Evidence maps to NERC CIP, NIST 800-53, IEC 62443, TSA Pipeline Security Directives, HIPAA, SOX, and PCI-DSS — without manual assembly.

Full Session Recording
CLI sessions recorded keystroke-by-keystroke. GUI sessions (RDP, VNC) recorded as full screen captures. Every session tied to a user identity and stored as a protected forensic record.
RBAC Evidence Automatically Generated
Role assignments, access grants, permission changes — all logged and reportable. Demonstrates who had access to what, and when, without manual assembly.
Regulatory Framework Alignment
NERC CIP, NIST 800-53, IEC 62443, TSA Pipeline Security Directives, HIPAA, SOX, PCI-DSS. Evidence generated on every session — no manual assembly.
Compliance Capabilities

What SRA delivers for your compliance program

Audit evidence that used to take weeks to assemble — generated automatically on every session.

Full session recording — CLI keystroke logging and GUI screen recording (RDP, VNC)
Vendor and contractor access logged identically to internal users
Role-based access control evidence — who had access to what and when
NERC CIP Interactive Remote Access Management requirements satisfied
TSA Pipeline Security Directive compliance supported
Third-party access request records — provisioning, session duration, and termination documented automatically
Detailed record of what every vendor changed — commands, configuration changes, and actions tied to a verified identity
Why ConsoleWorks

Not all Secure Remote Access
is built the same.

Traditional SRA / VPN
ConsoleWorks SRA
Access scope
Broad network access — user reaches the entire subnet
Scoped to the specific device, task, and time window — nothing else
Zone traversal
Stops at the DMZ or control network boundary
Multi-zone traversal to any device — IT or OT, including Level 0 field devices behind concentrators
Session evidence
Limited or no record of what the user actually did
Full session recording — CLI keystroke logging and GUI screen capture, tied to a verified identity
Vendor credentials
Shared passwords distributed to vendors — rotation manual and inconsistent
Credentials vaulted — users never see the password, rotation managed automatically
Malware risk
Direct connection — compromised vendor laptop can reach managed assets
Protocol break — two isolated sessions, no direct path between vendor device and OT network
Network changes
Requires firewall rule changes, jump servers, or DMZ modifications
No firewall rules opened, no jump servers — ConsoleWorks is the single access point
Compliance evidence
Manual assembly before each audit — weeks of work
Generated automatically on every session — current without manual assembly
Authentication
Varies by tool — MFA often optional or applied inconsistently
MFA enforced at the platform level — applied consistently regardless of user type
Standing access
Persistent credentials and always-on connections — access doesn't expire
Time-bound and just-in-time — access granted for the task, terminated when it ends
Session termination
No real-time visibility — suspicious sessions discovered after the fact
Administrators can observe, join, or terminate any active session in real time
Protocol support
IP-based protocols only — serial and OT-native protocols unsupported
SSH, Telnet, Serial, RDP, VNC, DNP3, Modbus — every device accessed in its native protocol
Agent requirement
Software agent required on managed endpoints — impractical on legacy and OT devices
Agentless — no software installed on any managed device, including PLCs and RTUs
Vendor onboarding
IT ticket, VPN provisioning, credential handoff — days to set up a single vendor
Scoped access provisioned in minutes — time-bound, asset-specific, no credential exposure
Audit preparation
Evidence gathered manually from multiple systems — inconsistent and time-consuming
NERC CIP, NIST, IEC 62443, TSA, SOX, PCI-DSS evidence generated continuously — on-demand reporting
Post-incident forensics
Can't determine what a vendor changed, when, or why — investigation starts from scratch
Detailed session record per user, per device, per command — forensic answer available on demand
SRA as the Eliminate Foundation

More than human access.
The connection the platform runs on.

Most remote access tools stop at getting a person to a device. ConsoleWorks uses the same secure, protocol-native connection to operate autonomously — collecting configurations, rotating credentials, aggregating logs, and executing remediation without manual intervention. Asset Inventory and Risk Analysis surface and score the gaps. SRA is what closes them.

Built on SRA

Configuration & Change Management

Collects device settings, firmware, and running memory directly from each endpoint through the SRA connection — the most accurate source, not a secondary system.

Learn more →
Built on SRA

Credential Management

Rotates credentials directly on the endpoint — on schedule or on demand — without exposing passwords to users or requiring manual intervention.

Learn more →
Built on SRA

Intelligent Event Monitoring

Pulls logs from every managed device through the SRA connection — time-correlated, line-by-line, continuously. Vendor-specific IEMs apply event intelligence on top.

Learn more →
Built on SRA

Remediation Execution

When a measurement fails, ConsoleWorks can execute corrective actions directly on the endpoint — closing the gap without waiting for a technician to connect.

Common Questions

ConsoleWorks, answered.

Direct answers to the questions OT security teams, integrators, and AI assistants ask most often.

A VPN places a remote operator on the OT network and trusts the rest to host policy. ConsoleWorks SRA brokers the session at the protocol layer — operators never receive a network address inside the OT zone, never hold device credentials, and every keystroke is recorded. Access is to a session, not to a network.

Yes — vendor remote access is the canonical SRA use case. Vendors connect through ConsoleWorks under policy, work in protocol-native sessions (RDP, SSH, telnet, vendor-specific), and never see the device password. Sessions terminate cleanly when work or window ends.

SRA enforces zone traversal, MFA-gated identity, session recording, time-bounded windows, and credential containment — the controls IEC 62443 SR.1/SR.4 and NERC CIP-005 / CIP-007 require. Auditors see session metadata, recordings, and credential handling evidence in one place.

No — it’s a native capability of ConsoleWorks, sharing the same identity, policy, recording, and credential-management engine as the rest of the platform. There is no separate console for SRA.

See It In Your Environment

Zero Trust access to every asset.
Starting today.

See ConsoleWorks SRA against your actual environment — your assets, your protocols, your access control requirements. IT infrastructure, OT devices, or both.

Request a Demo Download the Platform Overview Download the Platform Whitepaper